CVE-2015-9249

Vulnerability

The SOAP endpoint /skyboxview/webservice/services/VersionWebService in Skybox Platform versions before 7.5.201 is vulnerable to SQL injection through the soapenv:Body element. An unauthenticated attacker can inject arbitrary SQL statements into the service's backend database query. [1]

Exploitation

An attacker with network access to the Skybox Platform can send a crafted SOAP request to the affected endpoint. No prior authentication or special privileges are required. The malicious SQL is embedded within the soapenv:Body element of the request, and the server executes the injected commands against the underlying database. [1]

Impact

Successful exploitation allows the attacker to read, modify, or delete database contents. This can lead to disclosure of sensitive information, such as user credentials and configuration data, as well as potential application compromise. The attacker gains the ability to execute arbitrary SQL statements with the same privileges as the database user used by the web service. [1]

Mitigation

Skybox Platform version 7.5.201 and later contain the fix for this vulnerability. Administrators should upgrade to the latest available version. As of this writing, the CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog. [1]